topic Webauth and Webadmin certificates fail to install on a WLC 5520 in Wireless

Webauth and Webadmin certificates fail to install on a WLC 5520

ashmead123 — Mon, 05 Jul 2021 15:11:28 GMT

I have two certificates (Webauth and Webadmin), created using the WLC's CSR. Both fail to install. Both will TFTP onto the WLC fine using the Upload command on the GUI but fail to install.

The logs show: %UPDATE-3-CERT_INST_FAIL: updcode.c:1276 Failed to install Webauth certificate. rc = 1

The certificates were created by different authorities (internal CA and Digicert)

Both are .crt format. I have tried converting to PEM, this ends up as .cer format.

The common names (CN) are the hostname of the WLC

The WLC is in an SSO HA pair and running 8.3.133.0

Any pointers much appreciated

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Flavio Miranda — Wed, 31 Jan 2018 10:54:33 GMT

Hi @ashmead123

Did you follow some guide? Here on the forum we can see a lot of people with the same problem.

This guide looks very clear and updated. Take a look and let us know:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01001.html

-If I helped you somehow, please, rate it as useful.-

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

ashmead123 — Wed, 31 Jan 2018 11:19:52 GMT

Hi Flavio

Thanks for this, all of the guides recommend the use of OpenSSL. Is this application a necessity to get the certificate to install correctly?
Do you have a trusted link to download openSSL?

Thanks
Ashley

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Flavio Miranda — Wed, 31 Jan 2018 11:23:21 GMT

Sure. Official web site. Go to the download tab.

https://www.openssl.org/

-If I helped you somehow, please, rate it as useful.-

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

ashmead123 — Sat, 24 Mar 2018 10:52:12 GMT

I have now converted the cert files into .pem format.

I now get the following debug output. Is this related to the certificate chain? Currently the certificate is in the format:

-----BEGIN CERTIFICATE-----

xxxx

-----END CERTIFICATE-----

pki debug:

*TransferTask: Mar 24 10:20:28.443: [PA] tftp rc=0, pHost=10.201.192.131 pFilename=/WebAuth.pem
pLocalFilename=cert.p12

*TransferTask: Mar 24 10:20:28.458: [PA] RESULT_STRING: TFTP receive complete... Installing Certificate.

*TransferTask: Mar 24 10:20:28.458: [PA] RESULT_CODE:13

*TransferTask: Mar 24 10:20:32.466: [PA] Adding cert (2128 bytes) with certificate key password.

*TransferTask: Mar 24 10:20:32.466: [PA] Add WebAuth Cert: Adding certificate & private key using password
*TransferTask: Mar 24 10:20:32.466: [PA] Add ID Cert: Adding certificate & private key using password
*TransferTask: Mar 24 10:20:32.466: [PA] Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password
*TransferTask: Mar 24 10:20:32.466: [PA] Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
*TransferTask: Mar 24 10:20:32.466: [PA] Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
*TransferTask: Mar 24 10:20:32.466: [PA] Decode & Verify PEM Cert: Cert/Key Length 2128 & VERIFY
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: X509 Cert Verification return code: 0
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: X509 Cert Verification result text: unable to get local issuer certificate
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: Error in X509 Cert Verification at 0 depth: unable to get local issuer certificate
*TransferTask: Mar 24 10:20:32.467: [PA] Add Cert to ID Table: Error decoding (verify: YES) PEM certificate
*TransferTask: Mar 24 10:20:32.467: [PA] Add ID Cert: Error decoding / adding cert to ID cert table (verifyChain: TRUE)
*TransferTask: Mar 24 10:20:32.467: [PA] Add WebAuth Cert: Error adding ID cert
*TransferTask: Mar 24 10:20:32.467: [PA] RESULT_STRING: Error installing certificate.

Thanks in advance

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Flavio Miranda — Sat, 24 Mar 2018 11:09:10 GMT

I think this link will help you:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

-If I helped you somehow, please, rate it as useful.-

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Etienne Buxin — Mon, 28 Oct 2019 14:30:46 GMT

*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: X509 Cert Verification return code: 0
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: X509 Cert Verification result text: unable to get local issuer certificate
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: Error in X509 Cert Verification at 0 depth: unable to get local issuer certificate

Looks like the file you try to import only contains the certificate of the WLC while it should contain the entire certificate chain, in this order: WLC, intermediate CA, root CA.

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Sandeep Choudhary — Tue, 29 Oct 2019 06:02:54 GMT

Also try to upgrade the WLC software and then give a try again as 8.3.133.0 is already deffered from cisco.

Regards

Dont forget to rate helpful posts

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

William Foster — Mon, 06 Jan 2020 16:35:13 GMT

Can you please tell me what you did to get this to work. I am experiencing the exact same issue. My cert is a .pem and I am getting this error %UPDATE-3-CERT_INST_FAIL: updcode.c:3686 Failed to install certificate. rc = 1.

Any help would be greatly appreciated

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

William Foster — Mon, 06 Jan 2020 16:46:49 GMT

Actually to expand on my problem. I am not even able to TFTP the cert to the controller. I am getting a file transfer failed! I am certain that TFTP is not being blocked. However when I look at the log I see this below error.

TransferTask: Jan 06 10:44:20.336: %UPDATE-3-CERT_INST_FAIL: updcode.c:3686 Failed to install certificate. rc = 1 so it does appear my issue is different.

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Etienne Buxin — Mon, 06 Jan 2020 19:37:34 GMT

@William Foster wrote:
Actually to expand on my problem. I am not even able to TFTP the cert to the controller. I am getting a file transfer failed! I am certain that TFTP is not being blocked. However when I look at the log I see this below error.

TransferTask: Jan 06 10:44:20.336: %UPDATE-3-CERT_INST_FAIL: updcode.c:3686 Failed to install certificate. rc = 1 so it does appear my issue is different.

Enable PKI debugs and try the transfer again then post the output here. Also make sure you include the full certificate chain in the PEM file, not only the WLC certificate.

debug pm pki enable
transfer download start

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

William Foster — Tue, 21 Jan 2020 18:29:41 GMT

Sorry for the delay in response. I was able to get this issue resolved. My cert was not formatted correctly. It had to be like below

------BEGIN CERTIFICATE------
*End Entity Certificate Content*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA Certificate Content*
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA Certificate Content*
------END CERTIFICATE------

Once I had the cert in that format then it downloaded the cert. So it is good to know if the cert is not correct then the WLC will not even download the cert.

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Etienne Buxin — Wed, 22 Jan 2020 13:11:48 GMT

>> So it is good to know if the cert is not correct then the WLC will not even download the cert.

It will download the cert but it will discard it if not well formatted 😉

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Scott Fella — Wed, 22 Jan 2020 14:10:48 GMT

Yeah... that is what happens if there is anything wrong with a cert that gets uploaded.

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

ROB LYLE — Sun, 02 Aug 2020 11:32:32 GMT

@Scott Fella so what does someone do when a cert is uploaded, but rejected? How do I dind out WHY it was rejected?

I have a correctly chained PEM certificate file. It is accepted by the transfer download process and installed. The CSR was generated by the CLI on the WLC (2504, runing 8.5) and it was signed by a Microsoft CA.

When I install this certificate, it blindly accepts it, makes me restart the WLC (really, really annoying having 2-3 mins of outage every time I "experiment") then no longer responds on port 443 for HTTPs for webadmin.

I am forced to generate a self-signed cert again to get access to the web GUI.

Some more debug help from the WLC would be most welcome here. Is there a way to peek under the hood to actually see detail on why it isn't working?

Thanks in advance.

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Scott Fella — Sun, 02 Aug 2020 11:51:09 GMT

I’m not understanding what is wrong? Web admin and web Auth certainly are uploaded to the controller in two different locations. The cert is uploaded so it’s seems to be fine, my question would be, is there a dns entry defined and is it pointing to the right ip? Webauth points to the VIP so your fqdn needs to resolve to the VIP. The management ip resolves to the fqdn you specified on the cert. I have only used OpenSSL to generate certificates, never on the controller. Also make sure you flush out your browser dns entries after uploading the cert.

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

ROB LYLE — Sun, 02 Aug 2020 12:03:45 GMT

Gah! A quick "debug pm pki enable" made me notice one error.

transfer download datatype webauthcert
changed to ...
transfer download datatype webadmincert

I was downloading my webadmin signed certificate to the webauth location. Strange that it accepted that, as the CSR was generated for webadmin via the CLI.

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Scott Fella — Sun, 02 Aug 2020 12:47:09 GMT

Well it’s a cert and you can use it on either. The cert is not valid unless it can be resolved.

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

ROB LYLE — Sun, 02 Aug 2020 13:11:01 GMT

If I only understood how the WLC matches private keys with certificates, then I'd agree. The WLC CLI interface specifically asks for "webadmin" and "webauth" certificates implying that different certificates are needed for each, with private keys stored in different places.

On a slightly unrelated (probably) note, how do I undo this command:

(Cisco Controller) >config certificate use-device-certificate webadmin

There is no "enable" or "disable" here and I can't find any documentation online about what this actually does. I am guessing it forces use of a builtin Cisco manufacturer certificate and would be undone when I install my own 3rd party certificate or generate a self-signed local cert? Total guess however as the Cisco Wireless Controller Configuration Guide, Release 8.5 (b_cg85.pdf) doesn't tell me anything. Sniff.

Re: Webauth and Webadmin certificates fail to install on a WLC 5520

Scott Fella — Sun, 02 Aug 2020 16:23:09 GMT

You need to go on the GUI and generate a self-signed. One you generate a self signed or upload a new cert, the wlc doesn’t keep any other cert for that purpose.